EvilOSX

EvilOSX is a Remote Access Trojan that provides threat actors with control over infected macOS systems. Because the Trojan is available as freeware, its distribution model could use any number of exploits or tactics. Users should protect themselves with appropriate software for identifying and deleting EvilOSX on sight, and install security patches for lowering their PC's vulnerability.

The Evil that's Free for All Takers

Although it's not the most glamorous resource for a Trojan campaign, GitHub is a neverending fountain of software code, both benign and threatening, for Windows, the Internet-of-Things, and even Apple-brand computers and devices. As an example of Trojan targeting the latter, EvilOSX shows that assuming that slumbering Trojans will remain so is an unsafe assumption. Updates to the threat have, over time, increased its attack capabilities drastically.

Early versions of EvilOSX offer few sophisticated features. The Trojan emulates a terminal through an easy-to-use interface for attackers' controlling the device as if they're physically present. The Remote Access Trojan, or RAT, also has the unusual format of being purely Python-based, with no external dependencies – minimizing the presence of additional files or setup work.

New releases of EvilOSX, months after the earliest ones, also are available on GitHub for any interested party. The macOS Trojan has extra features packed into these versions: additional network encryption for evading security solutions, multi-threading, and gaining root access (which makes the RAT double as a rootkit) for persistence. Malware researchers also point out the below functions as especially threatening to average users:

• EvilOSX can collect passwords from the Chrome Web browser.
• The Trojan also collects information related to Apple's iCloud, including passwords (via iTunes phishing), the file-based structure of backups, tokens and contacts.
• EvilOSX has webcam access and can capture images of the footage.
• EvilOSX has full file downloading and uploading capabilities.

This focus on the exfiltration of information makes EvilOSX well-suited to collecting money for selling on the black market or aiding blackmail. However, attackers also could use EvilOSX for downloading and running additional threats.

Keeping Trojans from Biting Your Apple

EvilOSX is one of the less-commonplace Trojans in circulation, and malware researchers haven't seen any campaigns deploying the RAT in significant numbers. However, as noted previously, GitHub hosting makes it possible for the Trojan to make a comeback at any point. EvilOSX also may update itself or uninstall itself, and expand features with modules, thus keeping it relevant to the current threat landscape. Additionally, at least one campaign 'bundles' EvilOSX with a second threat, the EggShell backdoor Trojan, and hides the installation behind a semi-functional cryptocurrency application (CoinTicker).

If they're suspicious, users of macOS devices can search for the LaunchAgents persistence component for EvilOSX, which has no identity obfuscation and should be visible. However, deleting this file doesn't remove all of EvilOSX's persistence mechanisms, including, most importantly, the escalated privilege-based root access.

Trustworthy anti-malware products compatible with macOS systems may remove EvilOSX, or stop infections from occurring through methods such as torrents or e-mail attachments. Malware experts also suggest changing passwords afterward for self-evident reasons.

Free hosting is a precious resource, but sadly, it also is one that's subject to routine exploitation. EvilOSX is just one point in a long pattern of the same, a la the Molerats' Poison Ivy backdoor Trojan or the Stantinko Botnet's crypto-mining operations.